Post permalink

The prompt frequency is still ridiculous for the standard user case. I assume that's what we're talking about as it's the onyl true security boundary, and yet MS have done little to improve the amount of prompting there.

That's part of the problem.

MS should have refactored their apps so that they prompt less. (e.g. By caching objects through consecutive/related operations or givin Explorer an Admin Mode you could toggle via a single prompt, which is a better trade-off of security and convenience than
it always being in admin mode as it is in Win7.)

MS should have improved UAC so that it could display securely-generated descriptions of actions about-to-be-performed as part of the UAC prompts so that the absolutely braindead prompts-about-prompts Explorer shows could be merged into the actual UAC dialog.

If MS had done those things then both the admin and standard user cases would be much less painful to use at the Always Prompt level.

If MS had done this then they would not have needed to add a stupid, anti-competitive hack which hides UAC prompts from default users in their apps only while at the same time undermining the UAC prompt system with a hole you could drive a tank through*.

If MS had done that then standard user accounts might be something people would consider using instead of something they'll run away from faster than they ran away from Vista's UAC.

If MS had done that then we might be discussing whether or not standard user should be the default account type in Windows 7 instead of discussing this stuff.

(* And, dammit Larry, that hole is bigger than it was in Vista. Being prompted to let malware elevate vs allowing it to immediately and silently elevate is a significant difference. If it isn't then why do MS try to stop it happening at all? If it isn't
then surely standard user accounts are vulnerable to exactly the same UAC prompt spoofing? By your own logic, then, you actually do have the same prompt-spoofing security hole crossing a security boundary. I don't buy your logic at all. It's an excuse, not
reasoning. I hate to be arguing with people like Larry and Mark because I think they're great, intelligent, knowledgeable guys and I've enjoyed reading their stuff, and occasionally talking to them via their blogs, in the past, but so be it if they wheel out
logic like this.)

I'm seeing a lot of push back on the security front, so lets talk about why UAC is here.
The "standard user" vision.

With Windows 7's new auto-elevation and its white-list features in place, I believe self-elevation (read: the hole) becomes easy and valuable to third parties. Bill Pytlovany (WinPatrol), for example, indicated he "wouldn’t think twice of taking advantage
of this" to save his users from having to go through the UAC prompt. Microsoft, of all companies, should know developers will write code that oozes into the nook and cranies of the Windows operating system. It may not be right, but it'll be done. Ask
the AppCompat guys.

I can see the exchange on Experts Exchange now...

BadAdvisor: "You can fix your LUA broken application by elevating."

WorseDeveloper: "How do I do that?"

BadAdvisor: "Well you can request elevation by adding this to your application manifest, or you can use this piece of code to self-elevate, without prompts. It works on Windows 7, I tested it!"